Author: Lee Allison

"Context of the organization" is essentially a new requirement in managements system standards introduced based on the guidance given to standards writers in Annex SL. However, it is not really a new idea in the grand scheme of things when it comes to all things ISO MSS - management system standards, that is. To get straight to the point then. Through the process of establishing and implementing any management system, an organization will have instinctively addressed many, if not all, of these requirements already, and probably without having realized it. Regardless if you approached this in a formal or an informal way, having a good understanding of the organization's business context is critical if your time and efforts are to bear fruit. For those who are transitioning from an older…

The biggest change to come to ISO management system standards (MSS) in recent years is the so-called "Annex SL". Annex SL is a high-level structure (HLS) described in ISO/IEC Directives, Part 1 which provides direction to standards writers by setting out guidelines which include a generic structure for requirements as well as common terms and text. About time, I say! Before Annex SL Comparing other management system standards of the past (e.g. ISO/IEC 27001:2005 and ISO 9001:2008) you can see that the underlying concepts and approach are basically the same. They all address requirements such as scoping, policy, roles and responsibilities, competency, operations, internal audit, management review, corrective action, and others. However, they have historically each told us the same thing in different ways. For example, in ISO 9001:2008 the requirement for…

During an internal audit of a client's business continuity management system, an auditee in the company’s communications department who was responsible for internal communications, offered up – when prompted – an improvement opportunity that he said he had identified a month or so earlier regarding the early warning procedure that they were currently following. Naturally, as an auditor, I wanted to see objective evidence of this improvement. At the time I was auditing, the procedure for notifying staff of an impending, potentially disruptive incident (an approaching sand storm for example) involved sending out a high priority red color-coded alert message. These messages were being sent by email and SMS to all staff in the company, at all levels, and to all locations and offices across the entire country in which they operated…

For a while now, I've been intending to create and post a couple of example documents for downloading. Yanno, the usual stuff, such as policies and common management system processes. Sitting here tonight, with nothing better to do, I figured I would get to work on an example/template for an ISMS Policy. Sounds easy enough. I have no problem banging them out when I'm busy at work helping organizations to prepare theirs. But I've been sitting here for hours now and have little to show for it. I'm phrasing it this way, then phrasing it another way, then changing my mind and looking at it from a completely different angle altogether. Which statement should I put in and which should I leave out? Who am I speaking too? What's the purpose…

How much does it cost to establish and implement a management system and to get your organization certified by an accredited certification body? The simple answer is that it can cost you anywhere from nearly nothing to lots and lots. In this post, I will try to explain the options that you have so you can choose an approach that will best suit your project's budget. Bear in mind, when planning the project budget, there will be some known costs that are reasonably predictable upfront (e.g. certification body, templates, training, consultant) and then there will be some additional costs that will likely come up as you move through each stage of the project (e.g. risk treatment and corrective actions). I will be focusing mostly on the more knowable factors here,…

PDCA, or Plan Do Check Act - also known as the Deming cycle or PDSA (S=study). Probably the simplest and most logical of ideas and fundamental to all things ISO, in my opinion. The PDCA cycle is an iterative, 4 step approach that emphasizes the continual improvement of processes through effective change management. ISO standards often refer to the "PDCA" cycle, but in itself, is not mandated. Any method that leads to continual improvement can be used, but the PDCA cycle is probably the most commonly thought of. At a high-level, management system standards, such as ISO 9001, ISO 22301, and ISO/IEC 27001, outline requirements that mirror this approach. You can see this reflection initially where standards require an organization to: establish, implement, operate, monitor, review, and continually improve the management system.…

Imagine a small, family owned corner shop. It sells sweets, greeting cards, telephone sim cards, and flowers, and has been in business for the last 50 years as it is passed down the family tree. It serves its customers from 8 am to 5 pm every day, except Sundays. As the local florist, it also provides a flower delivery service and customers can place orders on its website. In order for the shop to continue to be profitable and to build its reputation over the years, it must consider and manage many issues; and as we know, things are always changing. For example, the shop's owners must ensure that they continue to comply with all applicable legal and regulatory requirements. This could entail the need for good accounting practices to…

There are many definitions of a management system, but here are two that get straight to the point: "A management system describes the set of procedures an organization needs to follow in order to meet its objectives... This process of systemizing how things are done is known as a management system." - ISO.org "A management system is the framework of policies, processes, and procedures used by an organization to ensure that it can fulfill all the tasks required to achieve its objectives." - Wikipedia.org In my mind, a management system is the way in which an organization will standardize its processes in order to consistently achieve its intended outcomes. Every management system is unique, there is no cut-paste approach to the implementation of an effective management system. What works for one may…

Ok guys. I'm keeping this page open as a place to tell me what subjects or areas you'd like me to cover. Make sure your suggestions are related to the ISO management system standards and I'll try to get to it at some point. Please leave your suggestions and questions in the comments below.